From 083678be2ba07ffcf42a9a59d08b2124d5f07dcf Mon Sep 17 00:00:00 2001 From: Alexander Mikhalitsyn Date: Tue, 4 Jun 2024 13:30:51 +0200 Subject: [PATCH] apparmor: regenerate rules Follow the instruction from config/apparmor/README: ./lxc-generate-aa-rules.py container-rules.base > container-rules cat abstractions/container-base.in container-rules > abstractions/container-base Signed-off-by: Alexander Mikhalitsyn --- config/apparmor/abstractions/container-base | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base index 69bf6c3b5..d9e7ff043 100644 --- a/config/apparmor/abstractions/container-base +++ b/config/apparmor/abstractions/container-base @@ -73,6 +73,7 @@ # block some other dangerous paths deny @{PROC}/kcore rwklx, deny @{PROC}/sysrq-trigger rwklx, + deny @{PROC}/acpi/** rwklx, # deny writes in /sys except for /sys/fs/cgroup, also allow # fusectl, securityfs and debugfs to be mounted there (read-only) @@ -85,21 +86,20 @@ mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/, deny /sys/firmware/efi/efivars/** rwklx, deny /sys/kernel/security/** rwklx, - mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/, mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/, # deny reads from debugfs deny /sys/kernel/debug/{,**} rwklx, # allow paths to be made slave, shared, private or unbindable - mount options=(rw,make-slave) -> **, - mount options=(rw,make-rslave) -> **, - mount options=(rw,make-shared) -> **, - mount options=(rw,make-rshared) -> **, - mount options=(rw,make-private) -> **, - mount options=(rw,make-rprivate) -> **, - mount options=(rw,make-unbindable) -> **, - mount options=(rw,make-runbindable) -> **, + mount options=(rw,make-slave) -> /**, + mount options=(rw,make-rslave) -> /**, + mount options=(rw,make-shared) -> /**, + mount options=(rw,make-rshared) -> /**, + mount options=(rw,make-private) -> /**, + mount options=(rw,make-rprivate) -> /**, + mount options=(rw,make-unbindable) -> /**, + mount options=(rw,make-runbindable) -> /**, # allow bind-mounts of anything except /proc, /sys and /dev mount options=(rw,bind) /[^spd]*{,/**}, @@ -146,7 +146,6 @@ mount options=(rw,move) /s[^y]*{,/**}, mount options=(rw,move) /sy[^s]*{,/**}, mount options=(rw,move) /sys?*{,/**}, - # generated by: lxc-generate-aa-rules.py container-rules.base deny /proc/sys/[^kn]*{,/**} wklx, deny /proc/sys/k[^e]*{,/**} wklx, -- 2.47.2